Date: Fri, 9 Feb 2018 12:12:39 +1100
From: David Black <dblack@...assian.com>
To: bugtraq@...urityfocus.com
Subject: Advisory - Fisheye and Crucible - CVE-2017-16861
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This email refers to the advisory found at
https://confluence.atlassian.com/x/iPQyO and
https://confluence.atlassian.com/x/h-QyO .
CVE ID:
* CVE-2017-16861.
Product: Fisheye and Crucible.
Affected Fisheye and Crucible product versions:
version < 4.4.5
4.5.0 <= version < 4.5.2
Fixed Fisheye and Crucible product versions:
* for 4.5.x, Fisheye 4.5.2 has been released with a fix for this issue.
* for 4.5.x, Crucible 4.5.2 has been released with a fix for this issue.
* for 4.4.x, Fisheye 4.4.5 has been released with a fix for this issue.
* for 4.4.x, Crucible 4.4.5 has been released with a fix for this issue.
Summary:
This advisory discloses a critical severity security vulnerability in Fisheye
and Crucible.
Versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x)
and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this
vulnerability.
Customers who have upgraded their Fisheye and Crucible installations to
version 4.4.5 or 4.5.2 are not affected.
Customers who have downloaded and installed Fisheye or Crucible less than 4.4.5
(the fixed version for 4.4.x) or who have downloaded and installed Fisheye or
Crucible >= 4.5.0 but
less than 4.5.2 (the fixed version for 4.5.x) please upgrade your Fisheye and
Crucible installations immediately to fix this vulnerability.
Remote code execution through OGNL double evaluation (CVE-2017-16861)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description:
It was possible for double OGNL evaluation in certain redirect action and in
WebWork URL and Anchor tags in JSP files to occur. An attacker who can access
the web interface of Fisheye or Crucible or who hosts a website that a user
who can access the web interface of Fisheye or Crucible visits, is able to
exploit this vulnerability to execute Java code of their choice on systems
that run a vulnerable version of Fisheye or Crucible.
Versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x)
and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by
this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/FE-6991 .
Fix:
To address this issue, we've released the following versions containing a fix:
* Fisheye version 4.5.2
* Fisheye version 4.4.5
* Crucible version 4.5.2
* Crucible version 4.4.5
Remediation:
Upgrade Fisheye and Crucible to version 4.5.2 or higher.
The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.
If you are running Fisheye or Crucible 4.4.x and cannot upgrade to 4.5.2,
upgrade to version 4.4.5.
For a full description of the latest version of Fisheye, see
the release notes found at
https://confluence.atlassian.com/display/FISHEYE/Fisheye+releases. You can
download the latest version of Fisheye from the download centre found at
https://www.atlassian.com/software/fisheye/download.
For a full description of the latest version of Crucible, see
the release notes found at
https://confluence.atlassian.com/display/CRUCIBLE/Crucible+releases. You can
download the latest version of Crucible from the download centre found at
https://www.atlassian.com/software/crucible/download.
Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----
iQI0BAEBCgAeBQJafPV0FxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
UnagpA0P/3TVLzwWiv7wwRqnTyhkR9UucS9rz0szFH567oEWISGCXXN6uNLqzMKS
v9Eiw3xKIfeuk1kHy+QgamdVMugd4uUyUl1efDNURuAUDvbbA8BSJmQnElRU0bZ1
yLzdp6WYvc5gzV2ZvpjDi8FF9nXdQXoZWGFUzzRr9NNFmEo2KRJUkoxQNfiRnwX6
KV1koTWW7HeFVmwPNfPUL04CFPpZWrmZIwJTCnv5wojyzKW7tsegm8dIQsDVNplH
1r+KX/kpTYF2aVVEBDoqbKzKLVyYmjrKuMFw+O7CWncObYrM1y7317lVbG6/BylM
q715mR0tV4xJV8xgliRc1qd/hydcnc8DhhlV1cm1eNORX74/nLeOuWG85t8vu/Cq
5jOLnsbKaSc35iwBLNKrVEbM7mq0zzL4e7sbPqKfWmzoKoU6wwBffcbQI6AAP/pg
qtD3giHbxOJSiq9f4GczGxvnr0F2hZOhRbAg9ZzzdhvA9wZx/Bb3q1JDgG5U9vuw
puIes4ydBByoB/slTbPvg6DAutZLQ48iJITPfkzBGdXJ9ayMNJ4qSV5rV3T/94pe
VMLZ7K7RbqYFLoEXtbTPY7E5SHGLuWhcTOEJ4c/Pl7RJoj1zK8q0sagF/XB51KpR
FdA3TegZD3PrAvy970UGymrUdqoW3D6GEvFO0IXOXAT9f7Cgx/pZ
=dOdm
-----END PGP SIGNATURE-----